Introduction to the CWA process - CRISP Final Conference
1 like275 views
The document summarizes a workshop on developing a CEN Workshop Agreement (CWA) on evaluating security, trustworthiness, efficiency, and freedom infringement (STEFi) of surveillance systems based on the CRISP project. The CWA provides (1) guidelines for STEFi evaluations, (2) assessment questions across the four dimensions for video surveillance systems, and (3) details on roles and the evaluation/certification process. Next steps are establishing a certification scheme supported by relevant stakeholders to apply the CWA methodology.
![CRISP final conference 6th CoU Meeting, 16 March 2017
Example Annex A - Security
Ref.
CRITERION, Attribute Assessment question Assessment requirement
Relation with standards or
regulation
SECURITY DIMENSION
S.1 Are there measures in place for assessing possible threats (prior as well as after the installation of the system) and in further consequence
to adequately address situations involving possible threats?
S.1.1 RISK, Threats 1. Has a risk assessment been
performed prior to the design and
installation of the video surveillance
system, assessing the probability and
the impact of threats and hazards on
the operational site? [yes/no]
2. Which issues have been addressed in
the risk assessment and have the
results of the assessment been
included in the design and installation
of the system? [qualitative]
Prior to video surveillance system design, a
risk assessment shall be performed, which
will identify threats and hazards to the
premises and assess their likelihood.
The required security functions for the
mitigation of the threats shall be identified
and the video surveillance system will be
designed in a way to mitigate the assessed
risks at the specified location and in regard to
the identified threats.
EN-IEC 62676-4 2015
(Clause 4.2ff.)
(ISO 31000:2009 describes
the principles for the
carrying out of a risk
assessment.)](https://image.slidesharecdn.com/4-170323102537/85/Introduction-to-the-CWA-process-CRISP-Final-Conference-19-320.jpg)
![CRISP final conference 6th CoU Meeting, 16 March 2017
Example Annex A – Freedom infringement
Fi.3.1
2
PERSONAL DATA,
Storage limitation
1. Is the retention limit of video footage
and/or the personal data potentially
extracted form it clearly defined? Does
the retention time reflect the minimum
time that is necessary for the purposes
for which the personal data are
processed? [yes/no]
2. How are retention limits enforced in
practice? [qualitative]
Personal data processed by the video
surveillance system shall be kept in a form
which permits identification of data subjects
for no longer than is necessary for the
purposes for which the personal data are
processed.
Art 5.1e GDPR
Provisions in national
legislation (if existing).
Fi.3.1
3
PERSONAL DATA,
Processing which does
not require identification
1. If the purposes for which the operator
processes personal data do not or do
no longer require the identification of a
data subject by the controller, does the
controller maintain, acquire or process
additional information in order to
identify the data subject? [yes/no]
2. What are the internal policy provisions
to assure non identification?
[qualitative]
Processing personal data by video
surveillance system which does not require
identification shall be in line with conditions
from GDPR Article 11.
Art. 11 GDPR](https://image.slidesharecdn.com/4-170323102537/85/Introduction-to-the-CWA-process-CRISP-Final-Conference-20-320.jpg)
Introduction to the CWA process - CRISP Final Conference
- 1. CRISP final conference 6th CoU Meeting, Brussels, 16 March 2017 THEMATIC WORKSHOP STEFI Ronald Boon/Dick Hortensius Netherlands Standardisation Institute (NEN)
- 2. CRISP final conference 6th CoU Meeting, 16 March 2017 Programme for this session Introduction to the STEFi evaluation Nathalie Hirschman, TUB CTS CCTV standards in support of certification Frank Rottman, Bosch, IEC CLCTC 79/WG 12 CCTV systems and privacy protection Erik Krempel, Fraunhofer Institute CWA on the STEFi evaluation Dick Hortensius, NEN Panel discussion Presenters plus expets of the CRISP consortium Wrap-up and conclusions
- 3. CEN Workshop Agreement on STEFi evaluation 30 September 2016 Dick Hortensius Netherlands Standardisation Institute
- 4. Agenda for the presentation Why a CWA? Development process Scope and content Next steps
- 5. Why a CEN Workshop Agreement? Standards: are voluntary agreements between parties provide practical solutions support international trade can support public policies and legislation are developed and maintained according to systematic processes involving all relevant stakeholders effective means for disseminating results of research projects
- 6. Standards, legislation and conformity assessment
- 7. Standards as basis for certification
- 8. Standards for CRISP Information provider Audit review & decision Auditor EVALUATION CERTIFICATION SurveillanceAttestation Assessment STEFi Configuration Selection and Determination R2R1 a.o. ISO 17065 Functional approach to (product) certification (ISO 17000) CRISP Certification Scheme CWA
- 9. CEN / CENELEC deliverables Produced in Technical Committees with national delegations: European Standards – EN Technical Specifications - TS Technical Reports - TR Produced in Workshops with individual interested parties: CEN/CLC Workshop Agreements - CWAs
- 10. The Workshop Concept Flexible working platform: Light procedures Direct and voluntary participation of stakeholders Participants decide on the working arrangements Open to any company or organization: Inside or outside Europe Public process Rapid elaboration of consensus documents Few physical meetings Work by electronic means encouraged
- 11. CEN-CLC Workshop Agreement(CWA) Final deliverable of the Workshop - Voluntary application Content : technical specifications, guidance material, best practice, information, etc. They can be the basis for a European or international standard at a later stage CEN IPR policy and exploitation rights are applicable to CWAs (no free availability)
- 12. Development process Project Plan Publication of CWA CWA drafting & adoption Kick-off Meeting Describing – Scope – Objectives – Schedule Confirming – Project Plan – Rules of the Workshop – Chairperson – Secretariat Consensus Process – Workshop participants – Public consultation where required Validity of 3 years - Re- confirmation possible only once
- 13. Development process Project Plan Publication of CWA CWA drafting & adoption Kick-off Meeting Describing – Scope – Objectives – Schedule Confirming – Project Plan – Rules of the Workshop – Chairperson – Secretariat Consensus Process – Workshop participants – Public consultation where required Validity of 3 years - Re- confirmation possible only once CRISP: August 2016 CRISP: 17 October 2016 CRISP: November 2016 - January 2017 2nd WS: 16 January 2017 Consultation: February 2017 Approval: March 2017 Publication: April 2017
- 14. CRISP final conference 6th CoU Meeting, 16 March 2017 CEN Workshop Agreement Characteristics Guidelines for STEFi evaluation Planned and installed security systems (specific context) Example: video surveillance systems (CCTV)
- 15. CRISP final conference 6th CoU Meeting, 16 March 2017 Content of the CWA Scope Terms and definitions The methodology Basics of the evaluation/certification approach The four dimensions Parties involved (roles/responsibilities) The STEFi evaluation process Certification Annex A – STEFi assessment questions and related requirementss for CCTV Annex B – Overview of relevant standards
- 16. Focus of the CWA Information provider Audit review & decision Auditor EVALUATION CERTIFICATION SurveillanceAttestation Assessment STEFi Configuration Selection and Determination R2R1 Aim: describe the STEFi evaluation in such a way that reproducible results are achieved by different evaluation bodies
- 17. CRISP final conference 6th CoU Meeting, 16 March 2017 Parties involved in the process
- 18. CRISP final conference 6th CoU Meeting, 16 March 2017 Annex A – Assessment questions and requirements for CCTV For all 4 STEFi dimensions: Security: 15 Trust: 16 Efficiency: 15 Freedom Infringement: 33
- 19. CRISP final conference 6th CoU Meeting, 16 March 2017 Example Annex A - Security Ref. CRITERION, Attribute Assessment question Assessment requirement Relation with standards or regulation SECURITY DIMENSION S.1 Are there measures in place for assessing possible threats (prior as well as after the installation of the system) and in further consequence to adequately address situations involving possible threats? S.1.1 RISK, Threats 1. Has a risk assessment been performed prior to the design and installation of the video surveillance system, assessing the probability and the impact of threats and hazards on the operational site? [yes/no] 2. Which issues have been addressed in the risk assessment and have the results of the assessment been included in the design and installation of the system? [qualitative] Prior to video surveillance system design, a risk assessment shall be performed, which will identify threats and hazards to the premises and assess their likelihood. The required security functions for the mitigation of the threats shall be identified and the video surveillance system will be designed in a way to mitigate the assessed risks at the specified location and in regard to the identified threats. EN-IEC 62676-4 2015 (Clause 4.2ff.) (ISO 31000:2009 describes the principles for the carrying out of a risk assessment.)
- 20. CRISP final conference 6th CoU Meeting, 16 March 2017 Example Annex A – Freedom infringement Fi.3.1 2 PERSONAL DATA, Storage limitation 1. Is the retention limit of video footage and/or the personal data potentially extracted form it clearly defined? Does the retention time reflect the minimum time that is necessary for the purposes for which the personal data are processed? [yes/no] 2. How are retention limits enforced in practice? [qualitative] Personal data processed by the video surveillance system shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Art 5.1e GDPR Provisions in national legislation (if existing). Fi.3.1 3 PERSONAL DATA, Processing which does not require identification 1. If the purposes for which the operator processes personal data do not or do no longer require the identification of a data subject by the controller, does the controller maintain, acquire or process additional information in order to identify the data subject? [yes/no] 2. What are the internal policy provisions to assure non identification? [qualitative] Processing personal data by video surveillance system which does not require identification shall be in line with conditions from GDPR Article 11. Art. 11 GDPR
- 21. CRISP final conference 6th CoU Meeting, 16 March 2017 Next steps to a certification scheme “CRISP organization” supported by relevant stakeholders
- 22. CRISP final conference 6th CoU Meeting, 16 March 2017 Panel discussion Nathalie Hirschmann, TUB CST Frank Rottmann, Bosch, IEC/CLC TC 79 Erik Krempel, Fraunhofer Institute Dick Hortensius, NEN Jelena Burnik, IPRS Simone Wurster, TUB Jorje Viguri, UJI Roger von Laufenberg, VICESSE Moderator: Ronald Boon, NEN